Author Archive - Jeffrey Bernardino (Threat Researcher)

TrendLabs recently received a new FAKEAV sample, which we now detect as TROJ_FAKEAV.BLW. Like previous variants, it poses as a legitimate antivirus application that displays false detections, disables firewall and security center functions, and produces pop-up warnings to force affected users to purchase rogue antivirus software.

Unlike its predecessors, however, this sample uses the file name AV.exe. If users are not into computers, they may think this is a valid antivirus application. It uses registry shell spawning as autostart technique, which means the malware is executed every time a user runs files that have the .EXE file name extension. It also uses any of the following application names:

%1 Antispyware 2010

Antivirus %1 2010

%1 Guardian 2010

%1 Guardian

%1 Defender 2010

%1 Antivirus

%1 Antivirus 2010

%1 Antivirus Pro

%1 Antivirus Pro 2010

%1 Internet Security

%1 Internet Security 2010

Note that %1 refers to the OS installed on the affected machine. This makes the malware flexible in that it is able to take advantage of the features of an infected user’s OS.

This may cause the user to panic since these are two of the most commonly used browsers. Users who are tricked into purchasing the bogus product are redirected to multiple rogue antivirus domains.

This list ensures that the malware can access other domains even if some have already been taken down. Lastly, this malware does not allow users to execute files from security companies, which prevents the affected user from scanning the affected computer.

When faced with these kinds of false alarms, Trend Micro urges users to calm down and avoid purchasing rogue antivirus products. This does not help solve the problem. Instead, it makes things even worse, as this is just a waste of hard-earned money.

This is only the latest tactic seen from the perpetrators of rogue antivirus malware. Recently, advanced threats researcher Sheryll Tiauzon spotted another FAKEAV run using Sandra Bullock’s recent marital difficulties to spread malware. Search results for the string, Michelle McGee, were poisoned and led to rogue antivirus detected as TROJ_FAKEAV.DPA and TROJ_FAKEAV.EHZ.

Trend Micro product users are protected by Smart Protection Network™, which prevents the download of the malicious files onto their systems via the file reputation service.

Non-Trend Micro product users, on the other hand, can also stay protected by using free tools like HouseCall, a highly popular and capable on-demand scanner that identifies and removes viruses, Trojans, worms, unwanted browser plug-ins, and other malware from users’ systems.